The present invention involves wireless telecommunication systems and/or networks, such as wireless local are a networks (LANs) and Mobile Internet Protocol (IP) systems. More particularly, the present invention involves the reuse of security associations when a mobile unit or mobile terminal undergoes handover from one stationary unit in the network to another.
With the rapid development of wireless and mobile communication technologies, communication security issues, such as user authentication, traffic privacy and message integrity have become important concerns. In response, a number of Internet Engineering Task Force (IETF) security protocol standards, such as the Internet Key Exchange (IKE) protocol, the Internet Security Association and Key Management Protocol (ISAKMP), and the Internet Protocol Security (IPSEC), are now employed in various wireless LAN and Mobile IP environments.
The IKE protocol was designed to provide a mechanism for two or more communicating parties, such as a mobile unit (MU) and a network stationary unit (SU), to negotiate various security services and security associations. A security service is a method or means for providing protection for the communication between the two or more parties, whereas, a security association (SA) is a relationship between the two or more communicating parties which defines how the parties will execute the agreed upon security services. A security association is actually defined by a set of attributes, such as an authentication algorithm, an authentication key, an encryption algorithm, an encryption key, and a SA lifetime, which represents the period of time during which the corresponding SA is valid. As one skilled in the art will appreciate, the SAs must be negotiated and in place before the two or more parties can begin secure communications the procedure for negotiating security services and SAs in accordance with the IKE protocol is accomplished in two phases. In a first phase (i.e., phase 1), the communicating parties negotiate the ISAKMP SA. The ISAKMP SA is defined by a set of basic security attributes which provide protection for subsequent ISAKMP exchanges. In a second phase (i.e., phase 2), and under the protection of the ISAKMP SA, the communicating parties negotiate the IPSEC SAs associated with the IPSEC authentication header (AH) protocol and/or the IPSEC encapsulating security payload (ESP) protocol. The IPSEC protocols provide security services for communications at the IP layer. As is known in the art, a specific IPSECSA is uniquely defined by a security parameter index (SPI), a destination IP address, and an IPSEC protocol (i.e., AH or ESP).
Because the SAs (i.e., the ISAKMP SA and the IPSEC SAs) are bound to the negotiating parties, the SAs are renegotiated whenever a mobile unit moves from one access point to another in a wireless LAN environment, or from one foreign agent to another in a mobile IP context. However, the IKE negotiation process is computationally intensive, particularly phase 1. This is especially troublesome in wireless LAN and mobile IP applications where the mobile unit is frequently undergoing hand-over from one SU to another and where the MU has limited computational power. Under such conditions, overall system performance will be exceptionally low since a significant amount of time must be spent renegotiating SAs rather than communicating.
It is an object of the present invention to provide a technique which improves the performance of a mobile unit (MU) in a wireless LAN or mobile IP environment, particularly during hand-over. The present invention accomplishes this by reusing rather then renegotiating the security associations (SAs) corresponding to the MU once the MU is handed-over. By reusing the SAs, less time is spent negotiating SAs. Consequently, a MU can begin secure communications almost immediately upon being handed-over from one SU to a another SU.
Accordingly, it is an objective of the present invention to provide a more efficient way to utilize SAs during hand-over.
It is another objective of the present invention to reduce and/or minimize the latency period between the time a MU is handed-over to a stationary unit and the time the MU can begin secure communications with that stationary unit.
It is yet another objective of the present invention to generally improve the performance of a MU through seamless hand-over.
It is still another objective of the present invention to maintain a required level of performance without sacrificing communication security.
In accordance with one embodiment of the present invention, the above-identified and other objectives are achieved through a method and/or an apparatus for accomplishing hand-over of a mobile unit from a first stationary unit to a second stationary unit. The method involves disconnecting the mobile unit from the first stationary unit, and thereafter, connecting the mobile unit to the second stationary unit. The method also involves reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to support the connection between the mobile unit and the first stationary unit.
In accordance with another embodiment of the present invention, the above-identified and other objectives are achieved with a method and/or an apparatus for accomplishing hand-over of a mobile unit from a first stationary unit to a second stationary unit. More specifically, the method involves disconnecting the mobile unit from the first stationary unit, and thereafter, connecting the mobile unit to the second stationary unit. The method then involves reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to ensure secure communications for a connection between the mobile unit and a third stationary unit, and wherein the third stationary unit and the second stationary unit are associated with a first administrative domain that employs a common security policy.
In accordance with still another embodiment of the present invention, the above-identified and other objectives are achieved with a method for reusing security associations to facilitate hand-over of a mobile unit between stationary units that are associated with a common administrative domain, wherein all of the stationary units associated with the common administrative domain are subject to the same security policy. The method involves negotiating a first security association for a connection between the mobile unit and a first stationary unit associated with the common administrative domain. The mobile unit is then disconnected from the first stationary unit, and thereafter, connected to a second stationary unit associated with the common administrative domain. A first set of security association attributes, corresponding to the first security association, is then transferred from the first stationary unit to the second stationary unit. The first security association can then be employed to ensure secure communications for the connection between the mobile unit and the second stationary unit.